---
title: "Check Untrust Flag"
diataxis: reference
applies_to:
  product: "kyverno"
audience: ["platform-engineer","devsecops"]
last_updated: 2026-03-25
url: https://docs.nirmata.io/docs/policy-sets/dockerfile_best_practices/check-untrust-flag/
---


### Description

The use of `--allow-untrusted` flag in a Dockerfile is generally not recommended. Allowing untrusted packages can introduce security risks, as it means that the authenticity and integrity of the packages cannot be guaranteed. This policy ensures that Dockerfile do not contain the `--allow-untrusted` flag.

### Kyverno policy

Refer to the Nirmata curated policies - [check-untrust-flag](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/check-untrust-flag/check-allow-untrusted-flag.yaml).

### Resource example

Below is an example of a Dockerfile enforcing this policy.

```bash
FROM alpine:latest

RUN apk update && \
    apk add --no-cache curl

WORKDIR /app

COPY . /app

CMD ["echo", "Container is running!"]
```text